There are several similar questions here, but none of the solutions help me.
I want to generate a new Session with a new SessionId when i click the "Login" button. Just to reduce security risk. Right now, the session is determined by the value of the corresponding cookie. If the cookie is not defined, a new Session will be generated with new SessionId. If the cookie already exists before login, then an already existing Session with the SessionId specified in the cookie will be used.
In theory, an attacker could change the SessionId in the cookie before logging in, and the provided SessionId would be used as a result.
What is the best ways to change SessionId on Login? I found few ways:
1( Just remove the cookie (Generating new SessionId in ASP.NET):
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
This approach requires one more step. We need to send AJAX request to the server, clear cookie and finally send a second request to handle "Login" button click.
2( Generate new SessionID manually (How to Generate a new Session ID)
SessionIDManager manager = new SessionIDManager();
string newID = manager.CreateSessionID(Context);
bool redirected = false;
bool isAdded = false;
manager.SaveSessionID(Context, newID, out redirected, out isAdded);
This is not working for me at all.
